February 08, 2015

Security peeps, I am happy to announce that once again this year we will be conducting the Security Bloggers Network Security Blogger Awards to be presented at the Security Bloggers Meet-up at RSA Conference. Most of you know we have been holding our bloggers meet-up and awards for years now and it is one of the most popular events of RSA Week. This year promises to be no different. More news on the meet-up will be forthcoming, but for now here is the deal with the blogger awards.

We are going to back to basics on the awards this year. We have appointed a blue ribbon panel of your peers who will be nominating the finalists in all categories. Once the judges have made their selections voting will be open to bloggers (around February 20th). Voting will be open for one month. Winners announced at the bloggers meet-up.

The judges this year are:

1. Rich Mogull, CEO, Securosis

2. Illena Armstrong, VP editorial, SC Magazine

3. Kelly Jackson Higgins, Executive editor, Dark Reading

4. George V. Hulme, award winning writer and journalist

5. Ericka Chickowski, award winning security journalist

Some of the judges are “crowdsourcing” their nominations and looking for input from knowledgeable security folks. They will announce if they are looking for input.

The categories for this years awards are:

Best Corporate Security Blog

Best Security Podcast

The Most Educational Security Blog

The Most Entertaining Security Blog

The Single Best Blog Post or Podcast Of The Year

Best New Security Blog

Finalists will be announced around February 20th, so stay tuned.

Good luck to all of you bloggers out there and hope to see you all in San Fran at the Bloggers meetup at RSA Conference!

December 18, 2014

This whole affair around Sony’s “The Interview” has just made me more angry and dismayed. Besides Sony once again being hacked too easily it seems, I am disgusted that we are going to acquiesce to cyber blackmail and allow a small group of thugs censor our freedom of speech and expression. Have we become so easily in-timid-ated, that we are going to allow this? I wouldn’t. I would like to buy my ticket, get in line and go see “The Interview” today just to show that threats and intimidation will not have us give up our beliefs and rights.

First on the hack of Sony, I say shame on Sony. Yes anyone can get hacked, but the fact is in Sony’s case it is getting old already. Their security policies, processes and management have proven time and time again to be lacking. I had some firsthand knowledge of Sony’s security some years back and it was frankly pretty bad then and it looks like it hasn’t improved much since, despite being the victim (and I use that term loosely) of several high profile breaches in the past.

The next thing that I disagree with is the categorization of the alleged North Korean attackers as cyberwarriors, as a unit of 1800 or so, some new version of the “yellow horde” and of the sophistication of this attack and their ability to bring a 9/11 type of event down on every movie theater here in the US. Nuts to all of that!

First off a unit of 1800 or so is not exactly an army. A large bank will have as many cyber security people on the payroll. Let’s not even imagine what some US agencies or DoD units have. Both in number and sophistication of technology, we are not talking major leagues here.

The same could be said of their ability to launch an attack here in our country. The North Korean’s have been historically big talkers, making outrageous claims about their abilities and aims. It used to be that we were confident enough to laugh at their threats as the ranting of a madman, if not some petulant child upset with not getting their way.

They have threatened to launch nuclear strikes against us, they released a video last year with NYC in flames. They constantly threaten Armageddon every time we have a joint military exercise with South Korea. These guys make Saddam Hussein and his “Mother of All Wars” rhetoric look like a reasonable person.

They have made statements like:

“If the US imperialists threaten our sovereignty and survival… our troops will fire our nuclear-armed rockets at the White House and the Pentagon – the sources of all evil.”

“You can also tell this by his appearance and behavior, and while it may be because he is a crossbreed, one cannot help thinking the more one sees him that he has escaped from a monkey's body,"

And had these lovely words for the leader of South Korea:

“What she did this time reminds one of a disgusting old prostitute raising even her skirt, not feeling any shame to bring a stranger into her bedroom.

It is a shame and disgrace of the Korean nation that there is such a pro-U.S. indecent philistine and vile prostitute serving the U.S. as Park Geun Hye.”

This is also the regime that in building up the image of their leaders publish things like:

Divine birth -Legend has it that a double rainbow and a glowing new star appeared in the heavens to herald the birth of Kim Jong Il, in 1942, on North Korea's cherished Baekdu Mountain. Soviet records, however, indicate he was born in the Siberian village of Vyatskoye, in 1941. The people of North Korea, many of whom are reportedly battling famine, are apparently told that Kim's birthday is celebrated throughout the world.

High achiever - Official records reportedly show that Kim learned to walk at the age of three weeks, and was talking at eight weeks. While at Kim Il Sung University, he apparently wrote 1,500 books over a period of three years, along with six full operas. According to his official biography, all of his operas are "better than any in the history of music." Then there's his sporting prowess. In 1994, Pyongyang media reported that the first time Kim picked up a golf club, he shot a 38-under par round on North Korea's only golf course, including 11 holes-in-one. Reports say each of his 17 bodyguards verified the record-breaking feat. He then decided to retire from the sport forever.

Didn't defecate - It is reported that Kim's official biography on the North Korean state web site, which has since been taken down, claimed that Kim did not defecate.

So you are going to talk to me about liability. Who wants to take the risk of showing the movie and then being sued when something happens? I understand how risk adverse we are in litigious America. But there are other ways this movie can be released which would show that you cannot intimidate us into giving up our freedom of speech.

Fred Wilson in his AVC blog today has a great idea. Rather than locking The Interview film in a vault and eating the 10’s of millions of dollars sunk into it, release it for the world to see. Put it on Bit Torrent and let vaunted North Korean cyberwarriors try to stop that. Let Netflix or some other streaming service distribute it. Show these hoodlums that they will not silence us with threats and cyber-attacks.

It is at times like this and when these things happen that we are reminded of what another American President said to the people of Berlin at a time their freedoms were being threatened:

“All free men, wherever they may live, are citizens of Berlin, and, therefore, as a free man, I take pride in the words "Ich bin ein Berliner!" Today all free men should stand up and demand that this movie be released, that we stand up for what is right, that we don’t let evil terrorists dictate to us.

July 22, 2014

A couple of weeks ago I went up to Orlando for the IBM Innovation conference. The event was at the Swan/Dolphin resort in Disney World. IBM knows how to throw a conference and Innovate had all of the bells and whistles. But most of all it had great learning opportunities by hearing from some leading thinkers on what the future of development and software innovation looks like.

One thing on prominent display was IBM’s BlueMix PaaS. Hosted on IBM’s SoftLayer hosting platform but portable enough to play on other cloud infrastructure, BlueMix is an entire ecosystem of building blocks allowing you to build fully functional applications rapidly.

In typical IBM fashion BlueMix is a really deep, well thought out development platform. It is the kind of offering that midmarket companies typically look at yearningly, but know that price wise it may be out of their reach. For good reason, that kind of functionality typically doesn’t come cheap. But we live in amazing times.

Thanks to the SaaS model that BlueMix is based on, this great PaaS platform is priced for everyone. Speaking to IBM I was told that BlueMix pricing probably won’t be announced until the end of June. However I was assured that the pricing will very reasonable for even small organizations.

That is the promise of the SaaS model. Since it is hosted and you just “pay as you go” the best IBM has to offer is now within the grasp of smaller organizations. The cloud and DevOps are the ultimate equalizers.

So what can BlueMix do for you, now that you can afford it? Let’s start with exactly what BlueMix is:

Bluemix is an implementation of IBM’s Open Cloud Architecture, leveraging Cloud Foundry to enable developers to rapidly build, deploy, and manage their cloud applications, while tapping a growing ecosystem of available services and runtime frameworks.

BlueMix allows you to literally build a full featured app in minutes. The best way to show you I think is through one of the excellent videos the BlueMix team has put up. Here is a great demo of BlueMix in action:

This kind of ease of use and power in building apps was only the stuff of dreams for even the biggest companies just a few years ago. Now this class of solution is within your reach.

If you haven’t already you should check out a BlueMix demo during IBM’s 200 days of BlueMix which are being held all over the world. I saw several demos during Innovate and was surprised how much was layered into BlueMix.

Of course Innovate wasn’t all BlueMix. There was lots of great stuff on DevOps. My personal highlights were the keynote presentation by Gene Kim, author of the Phoenix Project and a friend of mine and the presentation by the CIO of GE Capital Bank, Vasanthi Sekhar. Both were excellent!

Overall a big theme of the show was that IBM is a leader in DevOps and that DevOps was not just for the Googles and Facebooks of the world. Big banks, insurance companies and other large organizations are all benefiting from using DevOps in their IT organizations. This was in direct contrast to a recent story in the Wall Street Journal that DevOps was not ready for the enterprise yet. Based on what I saw there is no doubt.

There was a lot of talk that next year IBM may be consolidating several of their larger shows like Innovate into one super show. If so, it will be a do not miss event.

In the meantime BlueMix pricing will be out around the end of the month and available to everyone. It could change the way you develop applications whether you are a large enterprise or a midmarket team.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

May 05, 2014

Better communication between security and executive team key to better security

A new survey from the Ponemon Institutue about security metrics and the interaction between security teams and executives sheds some great insights on the communication or rather the lack thereof between security teams and senior executives. After reviewing the results it might help explain why security at many midmarket firms is not as good as it should be.

Without even getting into what metrics you should measure and what you should report, the survey shows some startling findings around how security admins and the executive team interact (or at least how they perceive each other to interact).

There would seem to be a disconnect about how strong the organizations security posture was as perceived by the security pros versus what they though the executives thought. Security pros felt that 66% of executives thought that their organizations were either very strong or well above average. While only about 39% of security pros felt that their organizations were very strong or well above average.

Looking further into why executives don’t have a realistic view of the security posture of the organization, respondents cited several factors that all scored more than 50%.

Interestingly over 70% of respondents think communication is at too low a level (I assume on the executive side). Does this mean high level executives are not engaged? The next most popular choice, only communicating when there is an incident is a classic issue and in more than just security. Two of the popular answers that information is too technical and negative facts are filtered, are two that I have heard many times.

Many security pros tell me they have to “dumb down” security metrics to allow executives to understand them. Others have said that any technical information just shuts executives down from paying attention. My issue is there are some things that are important and can’t be dumbed down without losing its importance. We need to convey the real importance and it may take a little deeper understanding. This screams to why you need a security person in the executive room. However, even today most midsize organizations do not have a CISO or equivilent as part of their executive team.

Filtering out negative facts is another common problem. No one wants to be the bearer of bad news. Security has gotten a sky is falling reputation. Afer a while we move from chicken little to the “boy who cried wolf” and no one pays attention. This is certainly borne out in the survey answers.

Perhaps the most surprising responses were on when does the executive team meet with the security team:

Over 50% of respondents said they meet with the senior executives only when a serious risk is revealed or that they don’t communicate at all. That is scary. Scarier still is that only 13% of organizations have regularly scheduled meetings.

The rest of the report is chocked full of more great information and insights. .

Until security teams can get their heads around which information is important and then tackle how to best show it to the executive team, we are destined to repeat many of the failures of the past. That is too bad. Let’s hope for all of our sakes that we begin to answer these questions soon.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

March 11, 2014

I am very proud to announce that DevOps.com launched today. I and my co-founder, Martin Logan have been working on getting this new site and business up and running for many months now. DevOps.com tagline is “where the world meets DevOps.”

This is truly is our mission as well. DevOps.com will offer the most original content on DevOps in the world. We will have content for everyone. From the most technical issues, to general business questions, we will be posting a big tent for DevOps.

We have assembled a dream team of writers and bloggers who have already written outstanding stories that will be published over the next weeks and months. We will soon have some great community features as well that will help the entire DevOps community.Writers are not the only dream team part of DevOps.com. In the coming days and weeks we will announce our all star board of advisors, sponsors and other important members of the DevOps.com family.

But today there are two people I want to point out. One is Martin Logan, my co-founder. When I originally started thinking about doing a site on DevOps, I really wanted the DevOps.com domain. I reached out to Martin to see if he would consider a reasonable offer. A few hours later we were partners. Martin has a great DevOps resume and his behind the scenes work has made this day possible.

The second person I want to shout out to is my long time friend, Rajat Bhargava. Raj and I have worked together since my Interliant days back in the dotcom boom. We did StillSecure together. With DevOps.com Raj has rolled up his sleeves and helped me in anyway he could. While he is busy with his own new startup, JumpCloud, he always had time to answer a uestion, think through an issue or make an introduction. Couldn’t do this without him.

I have been following the growing DevOps movement since I met Gene Kim 3+ years ago. This past fall I attended my first DevOps conference and saw first hand how DevOps was changing the way IT worked. I read The Phoenix Project and it all came together for me.

I recognized that I had a mission with DevOps.com to bring DevOps across the chasm from early adopters and visionaries to the mainstream.

I am grateful for the support of so many of my friends who have helped and supported this effort. The site you see today is just the beginning. In true DevOps fashion we will continue to iterate and make the site better. Give us time.

In the meantime, please check out the site. Sign up for our newsletter. Follow us on twitter @devopsdotcom or on facebook or Linkedin or Google+.

February 20, 2014

Well the last vote has been tallied for the Security Blogger Awards. We had more votes this year than ever. And the winners are . . . Sorry you will have to wait until they are announced at the Security Bloggers Meetup at RSA.

You can be there live, in person to hear the winners announced and enjoy one of the best parties of RSA, but only if you already received your invite and RSVP’d. The last day to request an invite was yesterday. So if you haven’t by now, see you next year. If you did request an invite you only have until Friday to RSVP and then the list is closed. So don’t wait.

Of course whether you are going to the Bloggers Meetup or not, if you are an SBN member you can still stop by the SBN lounge at RSA in Moscone South during the show. I will be there most days and looking forward to seeing many of you there too.

We will post the winners as we always do, after the award and meetup. So if you can’t make it to RSA this year, you will know who won.

This should be our biggest, best bloggers meetup yet. Looking forward to seeing friends old and new. Also thanks to our sponsors!

February 04, 2014

Yesterday we sent out an email to those SBN members who we have contact info for. The email announced that our friends at RSA Conference have set up a special Security Bloggers Network Lounge for our members this year! All SBN members are welcome regardless of what type of badge you have (yes even expo only).

At the lounge you will have plenty of seating, power, access and we will try to bring in some refreshments. Taking a break in between sessions, tired of walking the show floor, need a break from bustle and hustle, come take a load off at the SBN Lounge.

The lounge will be located near the entrance to South Hall on the central "bridge" off of South Lobby - behind the Information Desk. The lounge will be open:

* Monday: 9am - 8pm

* Tuesday: 7am - 6pm

* Wednesday: 8am - 6pm

* Thursday: 8am - 6pm

* Friday: 8am – 3pm

Many thanks to Jeanne Friedman and our friends at RSA Conference for making this available to us. If you have not received your email and you blog for an SBN member security blog or would like to join the SBN please write to info@securitybloggersnetwork.com for information.

January 28, 2014

Most of you reading this have heard about the holiday time breaches at national retailers. Since then we have heard that as many as six other leading retailers may also have suffered breaches during the same period under similar circumstances. Word on the street is that these breaches are much more wide spread and just about any POS may be at risk. The culprit is something they are calling BlackPOS.

So if you think POS breaches are something that just large retailers need to worry about think again. It seems like this BlackPOS is some new Trojan/remote control malware that is infecting POS systems, giving criminals the ability to steal your customer’s data every time you swipe their credit card. Worse even, it seems that this malware can give the bad guys the ability to also gain access to your databases where your customer information is kept. This malware has been called BlackPOS in various reports.

From reports I have read and heard from my friends in the security industry it seems the malware behind these attacks was available for sale to the cyber-crime industry at large and cheap too. It was a land grab with everyone trying to get it on as many POS systems as they could. If you think your business would not be a target you are dead wrong. I am not trying to scare you here. But if you use a POS system you should make sure that you test it for malware. Especially if your POS is Windows based.

As a result of this breach I fully expect the industry to move full speed ahead with the Pin and Chip standard that is scheduled to go into effect in the US next year and is already standard in Europe. Where many of these initiatives are often delayed, with this kind of pressure I don’t think the credit card companies have a choice.

Historically fraud has accounted for about five cents out of every 100 dollars spent via credit card. That was realistically speaking not worth the greater effort required to move to a new system. But now I think the genie is out of the bottle.

Of course no guarantee that chip and pin is a panacea. There will be new vectors and methods developed to circumvent those systems as well. But in the meantime you should be planning to move to equipment that supports the new standard. You should also be planning on what it means for your business. If you partner with IBM or others they have the expertise to make your upgrade smooth and quick with minimal disruption. If not put the time and effort in now to plan your migration.

Also now may be a good time to review your breach plans. You should have in place a plan to follow on what to do if you are the victim of a breach. Don’t make it up as you go along in the heat of the moment. Take the time now to plan out what you need to do if indeed you are breached. How you react to the breach could be the difference between being in business after a breach versus not surviving.

Anyone and everyone could be the victims of a breach. No one is immune or under the radar. The way to succeed after a breach is to plan on when not if you are breached what you are going to do. In the meantime check your POS to make sure you are not already a victim.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

January 26, 2014

OK, we’ve made the list, checked it twice and it is time to vote! After much back and forth, a lot of thought by our judges and a lot of work by Joe Franscella and the Trainer Communications team, we are ready for you to vote.

Voting will be open only until February 14, 2014, so please don’t wait. Only one vote per person and we are checking IPs, addresses, etc. Any attempted ballot box stuffing will result in DQ! Winners will be announced at the Security Bloggers Meetup at RSA.

Before I give you the link to vote, let me also thank our judges for this years Blogger Awards:

1. Kelly Jackson-Higgins of Dark Reading

2. Wendy Nather of 451 Research

3. Illena Armstrong of Haymarket Media and SC Magazine

In addition to our judges nominations some blogs self-nominated. Good luck to all of the nominees!

Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson: http://terebrate.blogspot.com/2013/05/book-review-we-are-anonymous-inside.html

January 23, 2014

We are about a month out from this years RSA Conference and related events. For those of you who write about security in blogs or media we are still accepting invite requests for this years Security Bloggers Meetup, which will be our biggest and best yet. If you have not gotten an invite and think you should, please go to: https://docs.google.com/forms/d/1ibXn64AzlOWF7LX5wsv4qMTTNvmkYX7xQu8Gqnei6iU/viewform to request one.

A reminder that though we have increased capacity this year, the meetup is still only open to bloggers and those who podcast or write about security. If you are invited, it doesn’t mean you can bring your marketing team, friends and anyone else. One of the things that has made the Bloggers Meetup as popular as it has become is the fact that it is by the bloggers, for the bloggers. So please don’t make Rich Mogull the bad guy ;-) If you are a blogger or podcaster, come hang out with your peers. Eat, drink and be merry.

I know many of you are asking when does voting for the Blogger Awards start. Well first of all sorry that it has taken this long to get the nominees up. We should have voting open in the next day or two. Stay tuned for info on this very soon. Voting will be open for two weeks and you will need to have a valid email address to be eligible.

December 17, 2013

Wow, 2014! Let that roll off of your tongue a few times. Well time and security blogging march on. This year the planning committee for the RSA Conference Security Bloggers Meetup has been hard at work to make this the biggest and best Bloggers Meetup and Blogging Awards event ever.

We have doubled the capacity of our venue so we will not have to turn down anyone who wants to come join us and is eligible to do so. We have also made sure we have great entertainment, great food and drink. But the real secret to the Bloggers meetup is the people. For those of you who have attended in the past, you know this is the case. So this year there will be more people at the meetup then ever.

Invites to this years bash will be sent out after New Years. If you are on our mailing list already, you should get an invite. If you are not and would like to be you need to be writing/blogging about security. If you do, you can contact Jennifer Leggio at mediaphyter@gmail.com after New Years.

Of course all of this increased capacity and good stuff doesn't come cheap. None of this would be possible without the generous support of our sponsors. Most of our sponsors have been with us for many years, almost back to the first bloggers meetup.

I know some of you have inquired about additional sponsorships for the event, but sponsorships are all sold out for this year. We can put you on a list for next year if you like, but no guaratees or if you like you can sponsor the Security Bloggers Network. You can write to info@securitybloggersnetwork.com if you are interested

What about the Security Blogging and Podcasting Awards? You bet we will announce them at the meetup. We are also very happy to announce our judges for this years awards. Please join un in thanking:

Kelly Jackson Higgins of Dark Reading

Wendy Nather of 451 Group

Illena Armstrong of SC Magazine

and special guest judge

Chris "Beaker" Hoff

We will announce where to vote for the winners after the first of the year. Again this year Trainer Communications will be helping with tabulating the voting. Thanks to Trainer.

So the time is growing near. Merry Christmas and Happy New Year to you all and in just a few weeks see you in San Francisco!

November 20, 2013

My friend Mitchell Ashley reached out to me a few weeks ago and said “we had a great time when we used to do podcasts, we should do them again.” Well he didn’t have to twist my arm. Mitchell and I sat down to record a quick 20 minute show. We caught up with what he has been up to over the last few years. We also discussed the recent AWS re:Invent conference out in Las Vegas and how big public cloud and the Cloud in general has become.

We discussed DevOps, security automation and a bunch of other trends that Mitchell and I are seeing in the market. It was great having Mitchell back to podcast with again. We have already planned next weeks show which will feature a special guest as we discuss APT.

We mentioned a couple of links and articles in the podcast. Here are the links to these:

Mitchell’s blog post on CIO role: http://goo.gl/fzH5K The CIO Role - From Tech Manager to IT Services Broker

November 18, 2013

I know it is hard to believe, but it has been that long. It seems like just last week RSA Conference in San Fransisco was ending and we said we need to start planning next years Security Bloggers Meetup and Security Blogger Awards. But no it has been more than just a week or two. We are just 2 to 3 months away from RSA Conference 2014!

Luckily the organizing committee of the Security Bloggers Meetup and Blogger awards have been hard at work. This years event is going to be our biggest and best yet. We have substantially increased our budget which will allow us to have more room, food, drink and fun. We will also be able to accomodate more of you. We will be making more informatio available in the next few weeks.

Before I forget I want to thank my fellow committee members for all of their hard work. Jennifer Leggio continues to be the workhorse of our group even though she is now an executitive at Cisco ;-). Our Securosis friends have doubled down their commitment to the event as now officially have both Rich Mogul and Mike Rothman helping out and of course Jeanne Friedman of RSA Conference itself remains our rock. With Martin Mckeay moving to London, he has not been as involved with this years planning. Together, this group has lots of good times in store for our attendees, so stay tuned.

I have received more than a few notes about this years Security Bloggers and Podcast Awards. Of course we will be holding them at the meetup once again. We are going to have the same categories as last year:

Best Corporate Security Blog

Best Security Podcast

The Most Educational Security Blog

The Most Entertaining Security Blog

The Blog That Best Represents The Security Industry

The Single Best Blog Post or Podcast Of The Year

The Security Bloggers Hall Of Fame

This year we will again have a blue ribbon panel of judges, but like last year we will accept nominations from public. The highest amount of votes wins. Nominations are open now, so if you would like to be considered write to info@securitybloggersnetwork.com with your blog or podcast name, what category you want to be considered for and contact information. Voting will be held after the first of the year. So get your nominations in now!

October 01, 2013

The PCI DSS standards have been around for more than a few years now and right or wrong they have found their way into the day to day business functions of most business that accept credit cards or those that service merchants who do. Many in the security industry have lamented that PCI has wrought a culture of “checkbox” security where merchants and others in the PCI ecosystem seek a lowest common denominator level of security. For years the PCI Council has been seeking to raise the minimum levels of earlier PCI data security standards by introducing more a Risk Management approach to PCI.

The latest draft of the PCI DSS, version 3.0 is due out shortly. Due to the elongated implementation cycles adopted a while back, this newest version won’t be in effect until January of 2014 and won’t be fully in effect until June of 2014.

While smaller merchants may not see many changes in the day to day management of PCI, midsize organizations should see PCI merge with their existing security and risk management processes and policies. For instance the requirement for Penetration Testing should not be a new exercise for most midsize companies.

Overall the trend behind PCI 3.0 is more towards a holistic risk management approach. Understanding vulnerabilities, prioritizing them in light of the business and remediation were all introduced in PCI 2.0 and expanded upon in 3.0.

Moving away from point in time requirements towards a continuous process of compliance and risk management is to me perhaps the biggest theme in this new version. Recognizing that you can’t just say that you were PCI compliant one day and not the next because a breach occurred is a step in the right direction.

Of course if you are new to PCI or up to this point have only been doing the minimum to meet the requirements, PCI 3.0 may represent a wakeup call to you and your organization. Frankly though if this is what it takes to make your organization take security and risk management seriously, it is not a bad thing.

Another thing that I see with the new DSS is that it would seem that for Level 1 merchants and even larger Level 2 merchants, it will require more hands on PCI expertise from consultants or PCI experts. Could be a case of job security built in.

One other piece of good news is that with the new cycles, there won’t be another revision to the PCI DSS for a couple of years after this. Long enough to get your head wrapped around this one. Good Luck!

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

September 16, 2013

The recent announcement that the US Department of Interior (DOI) is undertaking a 10 year migration to the cloud through IBM made headlines because of its potential One Billion Dollar ($1b) value. One can read that number and immediately assume that it is a big deal for a large government agency without much appeal to the midsize market. But if you know anything about the DOI you would realize that this move has significant impact to the midmarket as well.

While the DOI collectively rivals the size of many large enterprises, it is actually comprised of over a dozen agency and bureaus. Among them are:

· Bureau of Indian Affairs

· Bureau of Land Management

· Bureau of Ocean Energy Management

· Bureau of Reclamation

· Bureau of Safety and Environmental Enforcement

· National Park Service

· Office of Surface Mining, Reclamation and Enforcement

· U.S. Fish and Wildlife Service

· U.S. Geological Survey

While some of these are large organizations unto themselves, others are smaller and more closely resemble a midsize organization. The fact that they are “putting all of their eggs” in the cloud is a powerful statement indeed.

The fact that IBM is providing the cloud infrastructure as an integral part of this program is perhaps one reason why the DOI has decided to shift so much of their IT infrastructure to the cloud. But while IBM assets may be an enabler, the bigger picture is that the time for the cloud has come. Companies concerns over security and visibility into cloud deployments have been answered in many respects.

Up until now it was actually the enterprise who was leading the way in adopting the cloud. Almost counter-intuitively they were quicker to move development and some non-critical IT infrastructure to the cloud. They have the in-house security resources to supplement what they need to have to trust the cloud. On the other end of the spectrum, small companies do not have the resources to supplement the cloud, but could not compete against the cost savings that the cloud offers. So they moved to the cloud quicker as well. This left the midmarket organization in a reverse Goldilocks situation. Not enough resources to make the cloud secure enough for them, but too much to lose in using the cloud in an insecure manner.

Now companies like IBM are leading the way in offerings that will allow midmarket companies to adopt the cloud in a secure manner. By having security built into the offering like the IBM smart cloud, midmarket organizations have off the shelf solutions available.

To be clear the DOI is not making this move just to ride the wave of popularity. By moving to the cloud they are not only getting a secure environment to work in, but they are also saving a ton of very precious budget dollars. In today’s economic conscious environments the dollar savings of the cloud probably make it imperative that you take a new look about moving more of your IT infrastructure to the cloud as well. The fact that you may be getting even better security capability than you do with your own premises infrastructure is the cherry on the cake.

So if is good enough for the DOI and other parts of our security conscious government, isn’t it time that you take a fresh look at the cloud? You may find that is more than secure enough for your midmarket needs, as well as adding dollars to your bottom line.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

August 28, 2013

I was trying to think of the most efficient way of doing this. With so many Facebook, Linkedin, Twitter and other connections, how do I reach out to them to let them know what I am working on and see if they can help? Then I remembered, I blog ;-) So no matter how this is reaching you, please have a look.

I have been consumed over these last few months working with some friends here in South Florida on launching a Techstars/Global Accelerator Network modeled startup accelerator. We are already far down the road on this. Fundraising, location, local community involvement are all moving along really well. It has been a lot of fun getting the start up juices flowing again in bringing this new venture to reality. I forgot how exhilarating it is to start something new

The key to this model as you may know though is that it is a “mentor driven” model. We have signed up lots of local entrepreneurs and business folks from here in South Florida, but we need more. While mentors based in Florida are ideal, they don’t have to be based here. More important is your ability and inclination to help new companies reach success. There are lots of fringe benefits to mentoring. If you are not familiar with it, let me know.

Mentors should “have been there and done that” in terms of starting businesses. They are willing to roll up their sleeves to help these new companies get started. Giving advice, making your own networks available and pitching in with your experience and expertise. It is not a full time gig, but you might have to give 8 or 9 hours a week to companies you mentor.

If you would like to be involved with this exciting new adventure I am embarking on, reach out to me. I am hesitant to put too much out here before we are ready to launch, but by the time I do that it may be too late for some of you to get involved.

I always pride myself on having a great network of friends and associates. I would like to see many of you involved in this great new business with me. Let me know if you are interested.

July 24, 2013

I just got done reading a blog post by Seth Levine at Foundry Group. I know Seth for quite a number of years from my days in Boulder and StillSecure. Seth wrote about an email encounter with a entrepreneur looking for funding that Seth rejected. The guy obviously was a little upset about the rejection and wrote Seth a nasty-gram which Seth responded to. Knowing Seth though, I can tell it got under his skin a bit though. Frankly who can blame him. You or I might have responded the same way.

But I can also understand where the antagonist (is that the right word here?) is coming from. He is frustrated, he has been turned down in his request and most of all he has not taken the time or effort to truly understand why. To him he has come to Emerald City for an audience with the Wizard. The Wizard has told him he will not grant his wish. He doesn’t know that the man behind the black curtain is pulling the levers. He sees only the illusion or reflection. He doesn’t get why the Wizard turned him down.

I remember back in my days working for a public Internet company during the dotcom bubble. The executive team used to meet in this ornate green conference room. They would meet in there for hours at a time. Coming out of these meetings it seems like the company was always off on a new course, with a new strategy and it meant big changes in my role and livelihood. I didn’t understand the reasons for these changes most of the time. They seemed pretty arbitrary to me. I had no insight into why they made these decisions. Because I had no insight into these decision, I imagined the worse.

One day I was promoted to become part of the executive team. Now I was in the Green Room myself. All of a sudden I was making those decisions. There were people outside the room wondering what the hell was I thinking in making these decisions. It gave me a totally different perspective on the people in the green room.

They are people just like you and me. The decisions they make are usually for rational reasons. If they say they are going to read something, they generally are. You may not understand why they decided something, but that doesn’t mean you should assume evil connotations.

My advice to the guy who wrote to Seth is “before you go off on something, understand what it is to be in the Green Room”

June 05, 2013

In case you haven’t heard yet, IBM has bought hosting and cloud provider SoftLayer for two ($2b) billion dollars. That is a lot of money by anyone’s measuring stick. Much has been written about how this gives IBM a real cloud offering to its customers and partners.

Of course IBM already operated data centers (10 of them actually, compared to SoftLayer’s 13), but SoftLayer is major brand and player in the hosting marketplace and an up and comer in cloud hosting. While not an Amazon or Rackspace in terms of public cloud, they have built a sizeable private cloud hosting practice up over the last few years. They use both CloudStack from the Apache Foundation, as well as the open source OpenStack, which IBM has backed. But what about security?

Perhaps unbeknownst to many, SoftLayer had built a great security offering into their cloud and hosting solutions. I have had the chance to interview SoftLayer CTO Duke Skarda several times. I have learned that security has been built into the DNA of the SoftLayer cloud and infrastructure. While they also offered security as a service offerings from several third parties, there was substantial security technology in the SoftLayer plumbing itself.

As a result IBM customers and partners can rest assured that using the SoftLayer platform will afford them the ability to utilize a secure, scalable and battle-tested platform. On top of this it should not be long until we see IBM’s own security services integrated into the SoftLayer solutions.

In the long run this means that IBM customers and partners will see benefits from the deal pretty quickly. Longer term I think IBM has set a mark for the market to follow. Service providers like IBM and others offered cloud solutions. However, many of these were deployed on third party hosting platforms. Now that IBM has made the move, others will follow. These service providers will offer cloud services on their own platforms.

We will probably see some me too moves here with large IBM competitors buying other hosting and cloud providers. Conversely it may be that large cloud and hosting providers seek to acquire service businesses that they can leverage as a result of their hosting business.

Specifically on security though few hosting providers have SoftLayers quality. If security is important to you (and who is security not important to?), you will be hard pressed to find a better offering than SoftLayers’. Now with IBM behind it, it represents a great choice for midmarket companies.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

May 31, 2013

As I wrote about in my Network World column last week, I have invested in a co-working space here in Boca Raton called Caffeine Spaces. Having spent a few weeks now spending a considerable amount of time in the co-working space I thought I would put together a top 10 list of tips to successfully work in such an environment. Some are do’s, some are don’ts, but following these will certainly make you more productive, popular with your fellow co-working space tenants and maybe even happier all around.

Of course basic office protocols should be followed as well. Below is a vintage video of proper office etiquette. Though the technology has changed a little bit, as well as office fashions, many of the rules still apply. Many of these apply to all office situations, but co-working spaces make them more important.

Here are my Top Ten co-working space rules:

1. Bring headphones – headphones are a must for numerous reasons. First of all with everyone talking in the common area and networking going on if you have any real work to do you need to shut out the noise. Even if you don’t have any music playing through the headphones, it will take you out of the public discourse and allow you to focus on your work.

2. If someone has headphones on, leave them alone – by the same token if you see someone wearing headphones think of it as a “do not disturb” sign. If they wanted to join in the conversation they would take their headphones off. They have them on for a reason. Yes there might be an emergency, but otherwise leave the dude alone.

3. Conference rooms are for conferences – they are not storage rooms, a resting stop for your equipment or your private office. Most conference space is at a premium in co-working spaces. Don’t be a conference room hog and use them for conferences.

4. White boards can be read and should be erased – Just about every time I have used a conference room over the last few weeks I have walked into find a white board filled with information. Sometimes it is confidential or proprietary information, sometimes not. Sometimes it is just doodles frankly. The issue is, when I walk in the room and need to use the whiteboard, what should I do? I have seen people take smartphone pics of whiteboards to capture what they have on them. That is great. But when you leave the conference room, erase the board. If you don’t have the courtesy to do that, assume the next person will.

5. Speaker phones and public areas don’t work – I actually haven’t seen many people use speaker phones in the public areas, but they speak loud enough and have the volumes on their phones turned up where they might as well be. If you get a call and you are going to speak loud, get up, walk to a private area and have at it. Don’t keep the volume on your phone turned to the max.

6. Soda and snacks cost money – Unless it is figured into the rent you pay, all of the food and drink is not free. Someone is going out and stocking that fridge with cold drinks. If you are going to consume, you should replenish. Also make sure snacks and drinks aren’t noxious.

7. Today’s hello, could be tomorrow’s partner or customer – The amount of people you meet in a co-worker space can be extraordinary and overwhelming. Co-working is a social environment. While you can pick a corner and wait for people to come to you, if you are not going to be open about meeting people, you are losing out on a big part of the co-working experience. I am not saying you need to give out “hello my name is . . .” tags or accost people as they enter. A smile and hello as people approach or make eye contact is I find more than enough to put people at ease and kick things off.

8. Don’t be a stalker– There is a thin line between outgoing and becoming a stalker. Don’t be a stalker. If people don’t seem like they are looking for your input, help or interaction, don’t force yourself on them. Be cognizant of body language and non-verbal clues. Know when to step out and away. Be mindful that not everyone is here to interact with you all of the time.

9. Pay it forward – Something I have heard many talk about in the startup community. It may even sound corny, but it is true. I am finding that if you don’t wait for people to do for you, but go out and do for them, without immediate expectation of payback either, it comes back in spades.

10. Business cards still count – They may be old fashioned, but you still need to give people a way to contact you. They may scan them into Google Goggles or any number of places, but we have not come to a point where the card is obsolete. Of course this begs the question as to what to do with all of these business cards. After just a few weeks I noticed I have over 75 different business cards on my night table. What a waste of paper! Maybe the thing to do is return the card after you scan it? There is probably a good solution and business there somewhere. But for now be sure to bring business cards!

There you have it, culled from just a few weeks working in a co-working space. Did I miss any big ones? What has your experience been?

May 06, 2013

My friends at iScan Online, Billy Austin and Carl Banzhof have just released their latest whitepaper on BYOD Security Scanning. This is an area of vulnerability scanning and compliance management that is not really being covered by any particular company today.

Where mobile device management and anti-malware for mobile devices meet, there is a gap. This gap is filled by iScan Online. They can do on demand full vulnerability scans on mobile devices, configurations scans for misconfigurations and data discovery scans for credit card numbers, socialsecurity numbers and other personal or confidential data.

This paper highlights the 5 reasons why BYOD security scanning is a must have and what a good BYOD security scanning solution must do.

You can view the paper below or head over to iScan Online to download it.

May 01, 2013

This is a great question for a business school class, but there are also real life situations where this is more than a mental exercise. The very survival of a business and the livelihood of all its employees can hang in the balance.

My case in point for this blog post is Shutterfly. I have been a Shutterfly member/customer since it first started around the time my younger son was born. Over the years I have stored literally thousands of pictures and videos on Shutterfly, ordered prints and recently created share sites for all of the sports teams I coach.

Shutterfly has some great things you can do and buy with your digital pictures. I never bought a lot of products, but they looked very nice.

The situation changed a couple of months ago when I decided to order some photo products with photos from oldest son’s Bar Mitzvah. I ordered some larger prints, leather bound photo books, acrylic prints, etc. I think the prices Shutterfly charges are fair and didn’t have a problem with them.

Unfortunately about half of the products I have ordered have had to be refunded or returned. Each and every time the folks at Shutterfly have been great. In fact on one of them they said my photo book was being delayed, but they were sending me a free cheaper photo book to make up for it. That one came with a mistake and they sent me another free one. After a few weeks they finally sent me the original book I ordered and when it came, it was literally falling apart.

Again the customer service folks were very nice. They gladly refunded the price and told me to keep the book. But frankly after spending 10’s of hours working on the book, I was disappointed that it was all for nothing.

I really want to keep using Shutterfly. I want to be a customer and buy products so they stay in business. I like the company and think their customer service is tops. But how long and how many times can you put up with sub-quality products before enough is a enough? What do you think? Customer service can make up for some product issues, but when does it tip over to the point of no return?

April 30, 2013

If your midmarket enterprise is like most, sooner or later you will be the victim of a data breach. Data breaches are never fun, but how and what you tell your customers can be the difference between minimizing the impact to your company’s bottom line and a full-fledged disaster.

Informing your customers about everything you know and taking reasonable precautions will always work better than sugar coating and trying to minimize the potential damage. Trying to minimize the situation to your customers so as to not panic them could wind up costing you customers in the long run.

As a case in point I want to contrast two recent data breach cases. One is the case of local deals vendor LivingSocial and the other is the video rental service Vudu.

I recently received the following email from Living Social:

IMPORTANT INFORMATION

LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue.

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords -- technically 'hashed' and 'salted' passwords. We never store passwords in plain text.

Two things you should know:

1. The database that stores customer credit card information was not affected or accessed.

2. If you connect to LivingSocial using Facebook Connect, your Facebook credentials were not compromised.

You do not need to take any action at this time, but we wanted to be sure you were fully informed of what happened.

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website - and require you to login - before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a website that asks for such information.

If you have additional questions about this process, the "Create New Password" button on LivingSocial.com will direct you to a page that has instructions on creating a new password and answers to frequently asked questions.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely, Tim O'Shaughnessy, CEO

Now, I understand that LivingSocial wants to minimize the potential damage here. To me though they have made two crucial errors. One is that they are giving their customers the impression that because their passwords were encrypted (actually salted and hashed), there is a low likelihood that they would be useable. This is not necessarily true. In fact there have been several cases and much written about the relative ease that hackers have in cracking these passwords.

Based upon their opinion that there is a low likelihood of these passwords being compromised, they tell their customers that they do not have to do anything at this time, but if they want to change their passwords they can. Knowing that these passwords could be compromised why not make everyone change their passwords? It would seem a rather trivial thing to do and ensure the integrity of your customer’s accounts to force a password change. In a similar situation you should strongly lobby for mandatory password resets.

Secondly again LivingSocial is telling their customers that they don’t have to do anything. But clearly customer names, email addresses and dates of birth were stolen. It doesn’t take much for a criminal to take that, match it up with public record information and quickly gather enough information to start using a false identity for nefarious purposes.

While some states mandate complimentary credit watch services for customers in these kinds of cases, at least suggesting to be on the lookout for fraudulent credit transactions and suggesting a credit watch service seems called for here.

Again in the interest of keeping customers calm and downplaying this breach, customers could be potentially at greater risk. The breach happened already, breaches happen. Good security practice and customer service should require you to place the bar high in terms of protecting and warning your customers.

As I mentioned earlier, Vudu also recently had a breach. Here is the email I received regarding that one:

Dear alan, We want to let you know that there was a break-in at the VUDU offices on March 24, 2013, and a number of items were stolen, including hard drives. Our investigation thus far indicates that these hard drives contained customer information, including names, email addresses, postal addresses, phone numbers, account activity, dates of birth and the last four digits of some credit card numbers. It's important to note that the drives did NOT contain full credit card numbers, as we do not store that information. Additionally, please note if you have never set a password on the VUDU site and have only logged in through another site, your password was not on the hard drives. While the stolen hard drives included VUDU account passwords, those passwords were encrypted. We believe it would be difficult to break the password encryption, but we can't rule out that possibility given the circumstances of this theft. So we think it's best to be proactive and ask that you be proactive as well. SECURITY PRECAUTIONS:If you had a password set on the VUDU site, we have taken the precaution of expiring and resetting that password. To create a new password, go to www.vudu.com. Click the "Sign In" button at the top of the page. Enter your current username and current password when prompted, then follow the instructions to reset your password securely. Also, if you use your expired VUDU password on any other sites, we strongly recommend that you change it on those sites as well. As always, remember that VUDU will never ask you for personal or account information in an e-mail. Please use caution if you receive any emails or phone calls from anyone asking for personal information or directing you to a web site where you are asked to provide personal information. As an added precaution, we are arranging to have AllClear ID protect your identity for one year at no cost to you. We have FAQs on our web site (vudu.com/passwordreset) to answer questions on the incident and to more fully describe how to use the AllClear ID service. We have reported this incident to law enforcement and are cooperating fully with their investigation. We want you to know that we take this matter very seriously, and we apologize for any inconvenience this may have caused you. Thank you, Prasanna GanesanChief Technology Officer, VUDU

Can you see the difference? VUDU also states that the passwords were encrypted and unlikely to be cracked, but nevertheless they have expired everyone’s password forcing you to pick a new one. They are also making arrangements for ID protection for one year.

This makes me feel that VUDU is serious about protecting me and is not sugar coating or minimizing the consequences of the data breach. To me this is text book on how to communicate a breach to your customers.

In both cases I don’t blame VUDU or LivingSocial for being victims of data theft. It can and does literally happen to everyone. Also both companies are successful businesses. But as a midsize enterprise how you communicate a breach to your customers can communicate an awful lot.

If your company is the victim of a breach, follow best practices to inform and most importantly protect your customers.

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

April 26, 2013

IBM’s X-Force research team recently released their “2012 Trend and Risk Report”. The report is a great look back at last year and is full of metrics and analysis on the kinds of threats and risks seen across the spectrum of different verticals last year in information security. It also has some excellent advice on how to institute and operate a successful information security and risk management program. If you are interested in security (and who isn’t?) you should definitely download and give it a read.

One section I wanted to highlight and expand on though was the “If IBM X-Force were running the IT department” section. Here is the X-Force’s top 10 list to make you more secure. This is especially relevant for mid-market companies who may not have the budget or resources to do everything they might like around risk and threats. If you could check each of these ten off you would have the foundation of a solid strategy

1. Perform regular third party external and internal security audits – Many organizations are so reluctant to bring in an outside party to conduct security audits. I am not sure if it is a case of now wanting to share dirty laundry with outsiders or a case of “ignorance is bliss”, but either way it is a mistake. Having a security expert come in on a regular basis to give you a “hacker’s eye view” is one of the best ways to see really how your security plan holds up. My recommendation is a full internal and external audit annually, with external only audits quarterly if possible.

2. Control your endpoints – This used to be a whole lot easier. The advent of BYOD has made control of your endpoints more like being the sheriff in the Wild West. Of course it is probably futile to try and prohibit BYOD devices from accessing your network, data and applications. A more realistic goal may be to at least have a mobile device management solution in place. The first step is to have policies defining what is acceptable in terms of endpoints, what configurations are required, what applications can be accessed and what security should be installed on them. Regular security scanning, including vulnerability and configuration testing should be mandatory across the board! Of course traditional company owned devices are a lot easier to manage and control.

3. Segment sensitive systems and information – You need to treat your high value assets as high value. That means giving them an extra level of protection. This starts with segmenting them off from rest of the network. Too many mid-size organizations run flat networks where once you have access to the network, you can see and access everything on the network. This is obviously a mistake. High value assets should be segregated out from the rest of the network. Access and even visibility to these networks should be on a “need to know” basis. This can be accomplished using VLANs, firewalls and identity and access control.

4. Protect your network via basics (firewalls, anti-virus, intrusion prevention devices, etc.) – Too many of us are always lusting after and chasing the latest and greatest shiny new technology widgets. A perfect example of this is the latest infatuation with some of the newest threat detection technologies that run incoming packets in sandboxes before allowing them into the network. While new technologies can be exciting and effective, they should not be instituted at the expense of the “meat and potatoes” of your security program. They may not be sexy, but firewalls, AV and IPS are still front line tools for the defense. A recent report by 451 Research about the “Real Cost of Security” by Wendy Nather showed that most CISOs would still pick AV and firewall among their top choices in building out a security program. You should too!

5. Audit your web applications – Web application security is perhaps the hottest area of security today. An increasing percent of attacks are targeting web applications. SQL injection, cross-site scripting, drive by attacks have all become all too common in the news. There are different aspects to securing web applications. It starts with secure code development. Building security into the development process is a great way to start with a strong foundation. Just as having a 3rd party audit is a must, an audit of your web, including not only the code but the implementation as well should be performed before an app is deployed and after every change to code and infrastructure. There are any number of firms that can perform this type of test for you.

6. Train end users about phishing and spearphishing – This sounds like a no brainer, but you would be surprised how many companies don’t take the time for security awareness training. It is even more important today when so many of the most sophisticated attacks actually start with a targets spearphish aimed at a key person in your organization. Recognizing phishing attempts and not to click on links in email, social media or anywhere unless you are sure of who sent it and where it goes is a must if you hope to keep your organization out of the next headlines.

7. Search for bad passwords – This can be automated and strong password requirements can be built into many applications today. Passwords still represent one of the weakest links in our security technology. At some point hopefully 2-factor authentication, biometrics and other technologies may make passwords obsolete. But until then we are stuck with them. Passwords like 123456 and password are just not acceptable and should not be allowed. Password managers offer lots of choices so that users don’t have to remember strong passwords. Also requirements to change passwords regularly should be instituted and enforced.

8. Integrate security into every project plan – Microsoft did this years ago with their Trustworthy Computing initiative and it forever changed Windows. Security is too important to be an afterthought bolted on after the fact. Everything you do or plan to do has to be seen through the prism of security. Failing to do so could wind up putting your organization at dire risk.

9. Examine the policies of business partners – We live in an interconnected world, no one exists in a vacuum. However, our partners often have to have access to our data and systems in order to work with us. However, they can also represent a vector into our systems for hackers and criminals. You must institute a policy on what and how 3rd parties have to show before they are given access to your network. Also this should be regularly audited and re-examined.

10. Have a solid incident response plan – It is not a question of if, but when something is going to happen. Do not let your pride and ego get in the way of putting in a place a plan to do when you have an incident. While you are at it, you should have a worst case scenario as part of your planning. Today’s threat and risk landscape means you should assume that you will have security incidents. How you respond to these incidents as a mid-market company could mean the difference between survival or not of the organization. Well thought out incident response plans make all of the difference in the world in the fluid, fast moving situations that follow discovery of a security incident.

There is a whole lot more in this great report from the IBM X-Force team. Go download it and read it at least twice!

This post was written as part of the IBM for Midsize Businessprogram, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions

April 22, 2013

Tomorrow, April 23, 2013 at 2pm eastern time my friend Dominique Karg of Alien Vault and I are doing a webinar on “Who Moved the Cheese in Security”. It should be a lot of fun and I invite everyone to listen in and participate.

This grew out of a conversation Dominique and I had after RSA. It was amazing to us that some security executives actually believed that the Cloud, BYOD and such were passing fads. That soon we would return to traditional networks and traditional security. Talk about putting your head in the sand.

We will discuss that not only has the technology changed but how. We will also discuss how attacks and attack vectors have changed. Finally what should you do and how is success defined.